Improve FTP Security Using vsftpd with SSL/TLS

Plain FTP or non-encrypted FTP transfer is not secure as attackers can sneak in and retrieve the data (including the FTP username and password) you are sending as all the data is send as plain text. The best thing to do in this case is to secure the FTP transfer by encrypting the data with SSL/TLS.

In this tutorial we will go through how FTP server (server in which FTP server side software/application is installed) can be secured with SSL/TLS and there by making the file transfer secure. This is to help shared hosting servers are secured with SSL/TLS encryption.

vsftpd is very secure FTP daemon which is a very fast, reliable and secure FTP application/software.

Installing vsftpd

You can install vsftpd easily via yum as it is available in the default CentOS repository.

yum install vsftpd

Edit vsftpd configuration file to tighten security

Open the vsftpd configuration file (by default: /etc/vsftpd/vsftpd.conf) and add the following lines.

nano /etc/vsftpd/vsftpd.conf

Disable anonymous login

anonymous_enable=NO

Use linux system users and authentication for login

local_enable=YES

Enable write privilege to modify content

write_enable=YES

Limit the FTP user access to respective home directory.

chroot_local_user=YES

Setup SSL for vsftpd

Create a new directory for storing the SSL files (certificate and key).

mkdir /etc/ssl/private

We can create the SSL certificate and the key in a single file with openssl command.

openssl req -x509 -nodes -days 365 -newkey rsa:1024 -keyout /etc/ssl/private/vsftpd.pem -out /etc/ssl/private/vsftpd.pem

This will prompt a few questions as shown in the screenshot. Just fill the questions and press ‘Enter’.

vsftpd_ftps

Modify vsftpd config to add SSL/TLS Information

Open vsftpd config file

nano /etc/vsftpd/vsftpd.conf

Add the following lines to mention the location of certificate and key file

rsa_cert_file=/etc/ssl/private/vsftpd.pem

rsa_private_key_file=/etc/ssl/private/vsftpd.pem

To enable SSL on FTP login and data transfer add the following lines

ssl_enable=YES

allow_anon_ssl=NO

force_local_data_ssl=YES

force_local_logins_ssl=YES

To explicitly allow TLS and deny SSL add the following lines

ssl_tlsv1=YES

ssl_sslv2=NO

ssl_sslv3=NO

Add these recommended SSL settings as well

require_ssl_reuse=NO

ssl_ciphers=HIGH

Restart vsftpd service for the changes to take effect.

/etc/init.d/vsftpd restart

This will enable secure file transfers between the local machine and the FTP server.

Simples! 🙂

Leave a Reply

Your email address will not be published. Required fields are marked *